A range of questions that the NCSC believe will help generate constructive cyber security discussions between board members and their CISOs.

CISOs and technical teams are one of the greatest assets any organisation has, and their role in improving your knowledge of relevant cyber security issues shouldn’t be underestimated. For this reason, the NCSC have identified a range of questions which will help generate the right discussions between board members and their CISOs and increase awareness of key topics in cyber security.

Read the full Cyber Security Toolkit for Boards

For more detailed information, please refer to the NCSC’s Cyber Security Toolkit for Boards. It contains resources designed to encourage essential cyber security discussions between the Board and their technical experts.

Q1: How do we defend our organisation against phishing attacks?

Phishing describes a type of social engineering where attackers influence users to do ‘the wrong thing’, such as disclosing information or clicking a bad link. The link could install malware on your system, or direct you to a fake website that asks for sensitive information (such as bank details).

Phishing can be conducted via a text message, social media, or by phone, but these days most people use the term to describe attacks that arrive by email. Attackers use email for phishing because they can reach users directly, and their emails hide amongst the huge number of benign emails that busy users receive every day.

Phishing emails can hit organisations of any size and type. Attacks can steal sensitive information, install ransomware, sabotage your systems, and steal money. You might get caught up in a mass campaign that’s sent to thousands of organisations – where the attacker is looking to collect some new passwords or make some easy money. Or you could be subject to a targeted attack against your company, where the attacker will tailor their emails so they’re even more persuasive and realistic to your employees.

Possible answers

1. We filter or block incoming phishing emails

Why is this important?

Filtering or blocking a phishing email before it reaches your staff is important for two reasons. Most obviously, the attack is less likely to happen. Secondly, it reduces the amount of time your staff spend checking and reporting emails. If you use a hosted email service, your provider may offer a phishing protection service. While it won’t be perfect, you should use such a service if available.

A common attack is ‘CEO-Fraud’, where criminals send phishing emails – purporting to be from a senior within your organisation – asking staff to transfer money. By configuring your external email servers to not accept emails from your own email domain, you will reduce this threat. Staff who have authority to make purchases or transfer funds will still need to be aware of this sort of attack.

2. We ensure external email is marked as external

Why is this important?

Your corporate email server can be configured to add some text to the body (or subject) of an email to help staff quickly identify that an email originated outside your organisation. This knowledge can help them make better judgements about how they should treat the email, and any requests it makes. You will need to understand how this could impact your users’ day-to-day work and explain to them what it means.

3. We stop attackers ‘spoofing’ emails

Why is this important?

Attackers ‘spoof’ trusted email domains, making their emails look like they were sent by reputable organisations (such as yours). These spoofed emails can be used to attack your customers, or your staff. You can make it much harder for attackers to spoof your emails by ensuring your organisation is using the following controls:

  • DMARC (Domain-based Message Authentication, Reporting and Conformance)
  • SPF (Sender Policy Framework)
  • DKIM (Domain-Keys Identified Mail)

These measures help you to control how your email is processed. Organisations that deploy these measures properly can ensure that their email addresses are not used by criminals.

4. We help our staff

Why is this important?

Staff are often asked to perform the impossible task of deciding whether an email is real or not. Make sure there’s a simple way for them to report suspicious emails to your IT security operation and make sure they get feedback. At some point, everyone will get caught out by a phishing attack. Don’t punish staff, or make them feel bad about it; they’re less likely to report attacks and will spend excessive time scrutinising every email they receive. Both these things cause more harm to your business in the long run.

Educating your staff is often over-emphasised in phishing defence. Training can’t ever entirely solve the phishing problem because well-engineered phishing attacks are almost impossible to spot. Recurrent phishing simulations or tests have been shown to have limited long-term effect, so don’t overburden your staff by running them too often.

Having said this, some criminal groups still send out poorly created mass email attacks that may be easier to spot than targeted ones. These more obvious emails may feature poor spelling and grammar, shoddy logos, or may pressure readers into acting urgently. They may refer to you as ‘valued customer’, or ‘friend’, a sign that the sender does not actually know you, and that it is part of a phishing scam. You should encourage your staff to trust their instincts and if it doesn’t feel right to them, ask them to report it.

Attackers may use publicly available information about your organisation and staff to make their targeted phishing messages more convincing. This is often gleaned from your organisation’s website and from staff’s social media accounts. You should help your staff to understand how sharing their personal information, via social media and other platforms, can be useful for attackers.

5. We limit the impact of phishing attacks that get through

Why is this important?

Since it’s not possible to stop all attacks, your organisation should be prepared for those that do get through, so you can lessen their impact. Your preparations will depend on your systems, how you work, and the resources you have, but should include steps such as:

  • using a proxy server that stops access to known bad sites
  • using up-to-date browsers for internet access
  • ensuring malware protection on individual devices is up to date
  • ensuring staff don’t browse the web or check emails from an account with administrator privileges
  • using two-factor authentication (2FA) on your important accounts or services
  • rehearsing your incident response plans for different types of incidents

Q2. How does our organisation control the use of privileged IT accounts?

All staff should be provided with enough system privileges and rights required to perform their role. Granting elevated system privileges should be carefully controlled and managed, a policy often referred to as ‘least privilege’. This principle of least privilege should be assessed as staff leave, join and move departments. It’s particularly important that administrators (and those with extensive rights) who move to other jobs don’t maintain their privileges. All relevant accounts should be disabled when staff leave the company.

Certain roles (such as administrators) require an account with higher privileges to perform their role, in addition to a normal user account. As the impact of a compromised administrator account is significantly higher than a standard user account, it is important that administrator accounts are only used by those who need them, used solely for carrying out administrative tasks, and are removed when no longer needed. Those individuals should use a standard user account for day-to-day functions, such as email and web browsing.

Possible answers:

1. We use ‘least privilege’ when setting up staff accounts

Why is this important?

Staff should only be given the IT access that is appropriate to their job. This will restrict access to data they shouldn’t be able to see, and the functions that they shouldn’t be allowed to do (either deliberately or accidentally). This will also have the effect of reducing the impact of a successful attack (see below).

2. We reduce the impact of attacks by controlling privileged accounts

Why is this important?

Ensure that your staff don’t browse the web or check emails from an account with administrator privileges. Administrators can change security settings, install software and hardware, and access all files on the computer. So an attacker having unauthorised access to an administrator account can be far more damaging than accessing a standard user account.

3. We have strong links between our HR processes and the IT account function

Why is this important?

Ensure that your HR processes drive account creation, modification and deletion, otherwise it is likely that people will end up with access they don’t need, and that accounts will remain active when people leave. Both of these increase the risk and impact of an attack.

Q3. How do we ensure that our software and devices are up to date?

Patching is the process of applying the updates that suppliers and vendors regularly issue to all your hardware and software. From servers and routers to smartphones and laptops, patching enhances functionality but also fixes security bugs or vulnerabilities, so applying patches is one of the most important things you can do to improve your security.

For this reason, you should have in place an audited, risk-based patching strategy. You should also ensure that key staff know what vulnerabilities are present within your IT estate on an ongoing basis, with a formal process in place to manage these vulnerabilities. Executive staff should be as aware of the major vulnerabilities in their IT estate as they are of their financial status, and should understand how those vulnerabilities could impact the core business.

Possible answers:

1. We have defined processes to identify, triage, and fix any vulnerabilities within our technical estate

Why is this important?

If your organisation is large, or has a complex IT estate, then your patching policy will never be as simple as ‘patch everything right away’ as there are many real-world limitations that mean this is not possible. Critical security updates should be applied without delay. Where this is not possible, then other mitigation steps should be taken, but this can never fully remove the risk.

You should also perform regular audits to ensure that your patching policy is being followed, just as you would with a critical financial policy. The potential impact on your business should drive the priority of your patching regime. You should patch internet-connected services first.

2. We’ve created an ‘End of life plan’ for devices and software that are no longer supported

Why is this important?

At some point, updates will no longer be available (as the product reaches the end of its supported life), leaving it fixed at an old version that does not have the latest security patches. This means you need to be planning to replace your devices and software so the new ones are ready to use before the support for older versions expire.

3. Our network architecture minimizes the harm that an attack can cause

Why is this important?

Even the best patching strategy isn’t perfect and there are ‘zero day’ vulnerabilities (that is vulnerabilities with no patches available from the vendor) that can be exploited by attackers. Your network should be designed to contain impact so that compromise of a machine or service isn’t catastrophic for the whole system. Flat networks with no segregation are dangerous. You should be able to describe controls or monitoring that will manage the compromise of any device or service on your network.

4. Make appropriate use of 3rd party or cloud services and focus where you can have most impact

Why is this important?

Even the most competent organisations will struggle to build and maintain complex technology infrastructure. This is something that expert global cloud providers excel at, and making use of hosting and computing services can provide security benefits at a scale that isn’t possible to build yourself. In addition, allowing cloud providers to provision computing services can allow you to focus your scarce security resources on protecting your bespoke applications and user devices, something only you can do.

Q4. How do we make sure our partners and suppliers protect the information we share with them?

At some point you will probably need to share your information with your partners and suppliers. There may be occasions where you wish to allow direct network connectivity between your systems and/or services. It’s important to gain confidence that any information shared with others will be well protected and looked after. For example, you might want to consider any network connectivity you share with partners that could provide a path to attack your systems. As this might not be a direct connection to the internet it is often a weak point and overlooked. You should take steps to ensure that any potential for attack via these connections is minimised.

Possible answers:

1. We look to gain confidence that our partners are not vulnerable to cyber attack

Why is this important?

When you allow partners to access your data (through either data sharing or accounts on your system), you don’t just rely on trust but look to gain confidence in their cyber defences. Choosing organisations that have been certified under the government’s Cyber Essentials Scheme is a good starting point, as this demonstrates they take the protection of their data seriously. However, you should expect any partner to have security that is appropriate for the data or services being shared, and that is analogous to the key controls on your own systems. You should have clear expectations of how your partners protect your data and access your systems.

When setting up sharing or connection agreements with partners, it’s essential that your data and systems are still secure. Security should be built into all agreements from the start, and you should not rely just on trust; all controls need to be checked and audited.

2. We implement technical controls to protect our systems even if a partner gets compromised

Why is this important?

No matter how comprehensive your security agreements with your partners are, and no matter how well they implement their controls, you should assume that your partners will be compromised at some point and plan the security of your systems and data accordingly. Controls that will minimise the impact of any such compromised partner should include:

  • limiting services exposed and information exchanged to the minimum necessary
  • implementing user and system authentication and authorisation before access is granted
  • auditing of sensitive actions or data exchange/access

Q5. What authentication methods are used to control access to systems and data?

Password use is on the increase due to the surge of online services in everyday life. Passwords are an easily-implemented, low-cost security measure, with obvious attractions for managers within enterprise systems. However, passwords can be a relatively weak method of authenticating users, so your password policy should be complemented by other controls to protect your enterprise. For example, you may want to restrict the number of login attempts a user can make before their account times out for a period, or is suspended.

It is also important to note that the proliferation of password use (and increasingly complex password requirements) places an unrealistic demand on most users, further weakening overall system security. For this reason, you should only introduce password controls where they are needed

Possible answers

1. We take measures to encourage the use of sensible passwords

Why is this important?

Default passwords may be widely known and might be easy for an attacker to take advantage of. You should change all default passwords, and ensure staff are required to change the password they are issued for first login, to something unique to them.

Where you require the use of passwords, they should be easy to remember, but hard for somebody else to guess. An example strategy to use is three random words (for example, dogbluetree). You should not enforce unnecessarily complex rules on staff, as it increases the burden on them and rarely increases security. For example many users simply swap an I for a 1 or ! symbol, and hackers know this.

Passwords should not be reused between different accounts, or between work and home. This limits the impact of one password being compromised to the compromise of that specific account. Similarly, you should ensure that you do not ever require shared account logons between users.

2. We ensure passwords don’t put a disproportionate burden on staff

Why is this important?

Your staff have dozens of non-work-related passwords to remember, not just their passwords for work. So only enforce password access to a service if you really need to. Where you do use passwords to access a service or device, do not enforce regular password changes. Passwords only need to be changed on indication or suspicion of compromise.

You should also provide secure storage, so staff can write down passwords, and keep them safe (but not with the device itself). Staff will forget passwords, so make sure they can reset their own passwords easily. Consider the use of password managers, which are tools that can create and store passwords for you that you access via a ‘master’ password.

For internal services, try to use the more modern authentication technologies that are increasingly available with commodity IT. Good system design can minimize the complexity of passwords necessary and the number of times they must be used while maintaining security. Challenge your IT organisation if your passwords are too numerous and too hard to remember.

3. We implement two factor authentication (2FA) where possible

Why is this important?

Accounts that have been set up to use 2FA will require an extra check (for example a code sent to a smartphone, or one created by an app), so even if a criminal knows your password, they won’t be able to access your account. Setting up 2FA is the single most useful thing that you can do to protect important accounts and where possible, should be rolled out to staff and customer accounts.

Source: https://www.ncsc.gov.uk/guidance/board-toolkit-five-questions-your-boards-agenda